The Target Case: How a Small Supplier Brought a Giant to Its Knees
Although it has been a long time since the 2013 attack on Target’s supply chain, the incident is still a valuable source of lessons for today’s CXOs and managers.
More than ever before, companies are connected to their suppliers globally. These chains often cross continents and time zones. On the one hand, companies gain operational efficiency, but on the other, they also uncover potential security holes in their operations.
Target could tell you. Their biggest security breach came through a small supplier. Attacks on large targets with large security budgets are not as profitable for attackers. It is much more efficient to use a third party as an entry point into the world of a secure giant.
Since suppliers and their customers mutually trust each other, attackers then attack under the guise of a “Trusted Partner” brand. But how does such an attack work and what can you, as managers, learn from the Target case? That is what today’s article is about.
What Is a Supply Chain Attack?
Let’s illustrate this principle with the example of a supermarket. Such a store has different suppliers for different products. One of its suppliers delivers beverages to it every day. One day, robbers hijack the delivery truck and disguise themselves as employees of the supplier.
They deliver the goods to the supermarket, so everything looks fine. But the robbers start moving around the store unnoticed, stealing customers’ wallets and even robbing the accounting department.
A cyber attack via a supplier works in the same way. Only instead of robbers, we have malicious software (malware) and instead of a supermarket, we have any company in the world.
However, the two basic steps always remain the same:
- The attackers first attack the supplier, pacify it and take control of a certain activity.
- They use the supplier’s connections to the customer and carry out the main attack via the certified channels between the supplier and the customer.
How Did It Happen at Target?
We will now apply these general principles to the Target incident.
The attackers used a phishing attack on Fazio Mechanical Services, a company that supplied HVAC equipment to Target. They used social engineering to gain access to internal systems (KrebsOnSecurity).
The attackers then used a supplier platform. They did not use the products and services that the attacked supplier provided to Target, but the system that was used for invoicing and managing contracts in Target’s supply chain (CEI).
Thanks to this access, the attackers were able to get into Target’s internal network and implement malware on payment terminals at the retail giant’s branches. All this just before Black Friday (RedRiver).
Hackers infected several other servers within the Target ecosystem in order to get stolen credit card data to servers outside the retail company’s internal network (US Senate).
Although the security department had malware detection and antivirus software in place, these systems ran into a fundamental problem: people. The software was set up only to detect, not remove, infected packages. Even when sirens went off, Target employees ignored them. They even only learned about the attack from credit card companies (Columbia U).
Impacts on Target
The attack resulted in the theft of 70 million credit card details and the personal data of 40 million customers (Framework Security). These were credit card details and personal data that could have been used for unauthorized payments. In other words, the attackers managed to steal data that they could then take for a ride.
What did the costs say? Target had to spend $292 million, which covered the class action lawsuit and the costs of the state investigation. Another $100 million was spent on new or updated IT security.
What did the market say? On the day the cyberattack was announced, the stock price fell by 2.2%. Translated into the company’s value – a loss of $890 million in value.
What did the customers say? In the year following the attack, Target earned 28.6% less compared to the previous period (NBER). Customers were not satisfied and many of them were afraid to shop at this chain again.
What did the structure say? Both the CEO and CIO left their positions after this incident (SIPA).
As you can see, Target was hit from all sides. All it took was one unauthorized entry into the system and the result was total losses climbing to a billion dollars (SIPA).
Did Target learn a lesson from this experience? Yes. Not only did it strengthen its internal security systems, but it even used more secure variants for payment terminals.
The company also established a surveillance center, a security department, strengthened its internal security team, and replaced management (RedRiver).
How Can CXOs Learn a Free Lesson?
Thanks to the detailed investigation of the Target incident, there are many recommendations and outputs that should help CXOs not to fall into the same trap as the management of the retail giant more than a decade ago. These best practices result from the details of the attack that took place.
- Secure Supplier – It is not enough to be careful about your own cybersecurity. Companies should also thoroughly check all their suppliers and request audits of their security.
- Need-to-Know – Suppliers do not need far-reaching rights within their customers’ systems. The company must minimize access by external entities to a bare minimum.
- Zero trust – And even if a supplier is granted some rights, it does not mean that it is automatically marked as trustworthy. The principle of zero trust should also work within the company (with its employees), let alone with third parties.
- Reaction to detection – Target had a functional malware detection system, but the people who were supposed to react to such a finding failed. Therefore, it is necessary to supplement the detection systems with processes that will be effective in the event of a security breach. It is better to deal with 10 false alarms than one neglected attack.
- Security is a strategic topic – CXOs often do not have a deep understanding of technical issues, and it should not be their priority. However, this does not mean that they will relegate all IT-related topics to the IT department. The issue of cybersecurity is not a technical issue. As you can see, not only the CIO but also the CEO left Target. Both were responsible for the problem that occurred.
What Are Your Free Lessons?
Finally, we can summarize the lessons from the Target case into individual sentences.
- The strength of a chain is determined by its weakest link.
- Zero trust is the basis of cooperation.
- Notification of cyber issues must be supplemented by a human response.
- When a problem occurs, communicate immediately.
- Cybersecurity is mainly a leadership topic.
Which ones will you take to heart?
